[strongSwan] ANNOUNCE: strongswan-4.5.2rc1 released
andreas.steffen at strongswan.org
Mon May 9 17:18:01 CEST 2011
the upcoming strongSwan 4.5.2 release is nearing completion.
As a preview a first release candidate has been made available
on our download site. Then new release offers the following
- The *whitelist* plugin for the IKEv2 daemon maintains an
in-memory identity whitelist. Any connection attempt of peers
not whitelisted will get rejected. The 'ipsec whitelist' utility
provides a simple command line frontend for whitelist administration.
- The *duplicheck* plugin provides a specialized form of duplicate
checking, doing a liveness check on the old SA and optionally notify
a third party application about detected duplicates.
- The *coupling* plugin permanently couples two or more devices by
limiting authentication to previously used certificates.
- Duncan Salerno contributed the *eap-sim-pcsc* plugin implementing
a pcsc-lite based SIM card backend.
- The *eap-peap3 plugin implements Microsoft's EAP PEAPv0 protocol.
Interoperates successfully with a FreeRADIUS server and Windows 7
Agile VPN clients.
- In the case that the peer config and child config don't have the
same name (usually in SQL database defined connections),
ipsec up|route <peer config>
starts|routes all associated child configs and
ipsec up|route <child config>
only starts|routes the specific child config.
- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and
instructs all plugins to reload. Currently only the *eap-radius*
and the *attr* plugins support configuration reloading.
- Added userland support to the IKEv2 daemon for Extended Sequence
Numbers support coming with Linux 2.6.39. To enable ESN on a
connection, add the 'esn' keyword to the proposal. The default
proposal uses 32-bit sequence numbers only ('noesn'), and the same
value is used if no ESN mode is specified. To negotiate ESN support
with the peer, include both, e.g.
- In addition to ESN, Linux 2.6.39 gained support for replay windows
larger than 32 packets. The new global strongswan.conf option
configures the size of the replay window, in packets.
- Linux 2.6.38 introduced the AF_ALG Crypto API which makes the
crypto algorithms of the kernel available in userland. We have
created a number of example scenario showing the use of the
*af-alg* plugin for IKEv1
Please test the release candidate and give us a feedback on any
encountered problems. ETA for the stable release is in about 10 days.
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users